The Internet Crime Complaint Center says email compromise cost people and companies over $5.3 billion over the last three years. If every person in Arlington, TX, lost $13,501, the total would come close to equivalent. Arlington is a town of 392,772 people according to the latest census data.
Email compromise is a sophisticated scam that plays on trust in organizations. The scam relies on the trust placed in key individuals in a company and the helpfulness of people in general. There are four basic styles of email compromise, all of which end in someone sending wire to an account controlled by the scammer: the fake executive email, the fake vendor invoice, the fake employee email, and the fake lawyer email.
In each of these cases, the email requests a wire transfer and may convey some sense of urgency. Often, the scammers time their scam to run close to the close of business. The wire request may be phrased to look like the executive needs the money sent to a third party or to him- or herself. The tactic changes depending on your standard business practices. An email compromise scam is planned in advance so that the scammers can incorporate the methods most used in your normal course of business.
“I’m smart. I will recognize a fake.”No. You won't.
Email compromise scams are planned attacks that involve elements of social engineering and are usually pre-empted by phishing emails that request limited, seemingly harmless, information. In some cases, incidents of data theft, ransomware, or malware occur just before an email compromise scam. In this way, scammers best mimic a legitimate business email and mimic your typical business practices. When a cyber incident occurs in an organization, be wary of wire requests or changes to payment information that closely follow. Be vigilant in your verification process.
“Our IT guy has set stuff up to prevent this.”No. He hasn't.These business email compromise scams rely upon poor business practices and trust in an organization. The scam email does not look any different from a legitimate email because the fraudster has been monitoring your emails. There is a sense of urgency and the fraudsters rely upon your basic disposition of being helpful. The scam invoice does not look any different from a legitimate invoice because your typical invoices have been monitored by the fraudster. The invoice numbering may even be in order. Do not be helpful when help is requested by phone or email. Verify the request using external contact information.
PREVENTIVE MEASURES FOR EMAIL COMPROMISE
Initiate a three-step verification process for all wire transfers and changes to wire payment information. The following are some suggested steps to prevent becoming victimized by an email compromise scam.
1 – Log the Initial Request. Log the initial request for a wire transfer or a change to wire payment info. Ask the requestor for his or her full name, department, company address, and company phone number. Note the time and the caller id if the request is being made by phone. If the request is an email, save a copy of the email by printing it to a pdf. Do not click links in any email.
The more local an email appears to be, the more apt you are to click on a link. Phishing scams styled to look like your local post office get a click-through rate of over 70%; that’s a rate most email marketers only dream about.
2 – Call the Person Making the Request. Pick up the actual phone and call the vendor or executive who appears to be making the request. The number must be obtained from a source OTHER THAN the email request. Verify that the vendor is actually making the request for a wire or for a change to payment information. Log the time of the phone call, the name of the verifying person, the phone number called, and the source of the phone number.
3 – Call someone else at the company to verify that a wire transfer has been requested or that a change in the company’s payment information is necessary. Require this second step of verification before any change is made.
Business email compromise scams and email account compromise scams (BEC/EAC) are planned attacks. The scammers rely on poor controls and trust in an organization. Do not allow appeals to urgency, confidentiality, or helpfulness alter your business practices for verifying a wire transfer request or a change to payment information.
For a more thorough review of your processes and the development of specific procedural plans, contact us for a privacy assessment and to development your business email compromise response.